73
Chapter 8
VPN (IPSec)
This Chapter describes the VPN capabilities and configuration required for
common situations.
Overview
This section describes the VPN (Virtual Private Network) support provided by your VRT-311 /
VRT-311S.
A VPN (Virtual Private Network) provides a secure connection between 2 points, over an
insecure network - typically the Internet. This secure connection is called a
VPN Tunnel
.
There are many standards and protocols for VPNs. The standard implemented in VRT-311 /
VRT-311S is
IPSec
.
IPSec
IPSec is a near-ubiquitous VPN security standard, designed for use with TCP/IP networks. It
works at the packet level, and authenticates and encrypts all packets traveling over the VPN
Tunnel. Thus, it does not matter what applications are used on your PC. Any application can
use the VPN like any other network connection.
IPsec VPNs exchange information through logical connections called
SA
s (Security Associa-
tions). An SA is simply a definition of the protocols, algorithms and keys used between the two
VPN devices (endpoints).
Each IPsec VPN has two SAs - one in each direction. If
IKE
(Internet Key Exchange) is used
to generate and exchange keys, there are also SA's for the IKE connection as well as the IPsec
connection.
There are two security modes possible with IPSec:
•
Transport Mode
- the payload (data) part of the packet is encapsulated through encryp-
tion but the IP header remains in the clear (unchanged).
VRT-311
/ VRT-311S does NOT support Transport Mode.
•
Tunnel Mode
- everything is encapsulated, including the original IP header, and a new IP
header is generated. Only the new header in the clear (i.e. not protected). This system pro-
vides enhanced security.
VRT-311
/ VRT-311S always uses Tunnel Mode.
IKE
IKE (Internet Key Exchange) is an optional, but widely used, component of IPsec. IKE pro-
vides a method of negotiating and generating the keys and IDs required by IPSec. If using IKE,
only a single key is required to be provided during configuration. Also, IKE supports using
Certificates
(provided by CAs - Certification Authorities) to authenticate the identify of the
remote user or gateway.
If IKE is NOT used, then all keys and IDs (SPIs) must be entered manually, and Certificates
can NOT be used. This is called a "Manual Key Exchange".
When using IKE, there are 2 phases to establishing the VPN tunnel:
8